- Newest
- Most votes
- Most comments
The issue you're experiencing is not a bug, but rather a result of how federated sign-in flows work with Amazon Cognito, particularly for social identity providers.
The Pre sign-up Lambda trigger is designed to work with direct sign-ups to your Cognito User Pool, not with federated sign-ins like those initiated by signInWithRedirect for social providers. When users sign in through a federated identity provider, they are essentially already "signed up" with that provider, and Cognito is creating or updating a user profile based on the information received from the social provider.
For federated sign-ins, including those initiated by signInWithRedirect, Cognito uses a different flow. After the user authenticates with the social provider, Cognito receives an authorization code, exchanges it for tokens, and then queries the provider's userInfo endpoint to retrieve user attributes. Cognito then maps these attributes to the user's profile in the User Pool based on the attribute mapping rules you've set up.
If required attributes are missing after this process, Cognito will indeed throw an error like the one you've encountered. Unfortunately, the Pre sign-up Lambda trigger is not invoked in this flow, so it can't be used to pre-populate missing required attributes for federated sign-ins.
To address this issue, you have a few options:
-
Adjust your attribute mapping in the Cognito console for the social provider to ensure all required attributes are properly mapped.
-
If possible, request additional scopes from the social provider to ensure you receive all necessary user information.
-
Consider using a Post authentication Lambda trigger instead. This trigger fires after a successful authentication, including for federated sign-ins. You could use this to add any missing required attributes to the user's profile.
-
If you need more control over the process, you might consider implementing a custom authentication flow where you handle the social provider authentication separately and then use the Cognito API to create or update the user profile with all required information.
Remember, the OAuth 2.0 scopes you request in your OIDC provider configuration define the user attributes that the IdP provides to Amazon Cognito. As a best practice, ensure you're requesting all the scopes that correspond to the attributes you need in your User Pool.
Sources
User pool sign-in with a third party identity provider - Amazon Cognito
OIDC user pool IdP authentication flow - Amazon Cognito
I've tried a post auth extension but it does not trigger either. Is it possible to trigger anything with a federated sign-in?
Relevant content
- asked 3 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated a year ago